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Abstract 


Combining symbolic techniques such as: (i) SMT solving, (ii) rewriting modulo 
theories, and (iii) model checking can enable the analysis of infinite-state systems 
outside the scope of each such technique. This paper proposes rewriting modulo 
SMT as a new technique combining the powers of (i)-(iii) and ideally suited to model 
and analyze infinite-state open systems; that is, systems that interact with a non- 
deterministic environment. Such systems exhibit both internal non-determinism 
due to the system, and external non-determinism due to the environment. They 
are not amenable to finite-state model checking analysis because they typically are 
infinite-state. By being reducible to standard rewriting using reflective techniques, 
rewriting modulo SMT can both naturally model and analyze open systems without 
requiring any changes to rewriting-based reachability analysis techniques for closed 
systems. This is illustrated by the analysis of a real-time system beyond the scope 
of timed automata methods. 



1 Introduction 


Symbolic techniques that represent possibly infinite sets of states by symbolic con- 
straints have become essential to make formal verification — using model checking, 
theorem proving, or combining features from both — much more scalable. They 
provide high levels of automation when verifying various kinds of infinite-state sys- 
tems. Such techniques have been vigorously developed, adopted in many systems, 
and proved highly successful. They include: (i) SAT solving and other decision pro- 
cedures, and their combination into Satisfiability Modulo Theories (SMT) solvers; 
(ii) rewriting- and unification-based techniques , including rewriting modulo theories 
and narrowing modulo theories ; and (iii) symbolic model checking techniques. 

A key open research issue limiting the applicability of current symbolic tech- 
niques is lack of, or limited support for, extensibility. That is, although certain 
classes of systems can be formalized in ways that enable the application of specific 
symbolic analysis techniques, many other systems of interest (Section 6 provides an 
example) fall outside the scope of some existing symbolic techniques. In such cases 
one would like to extend and combine the power of symbolic techniques to analyze 
the given system. 

Certainly, some techniques to combine methods or procedures provide useful 
ways of broadening the scope of methods and tools. For example: (i) combinations 
of decision procedures, e.g., [26,27]; and of unification algorithms, e.g., [5,10]; (ii) 
combinations of theorem provers with decision procedures, e.g., [1,9,31]; and (iii) 
integration of SMT solvers in model checkers, e.g., [3,17,25,34,36]. However, it 
seems fair to say that at present there is a lack of general extensibility techniques 
for symbolic analysis that can simultaneously combine the power of SMT solving, 
rewriting- and narrowing-based analysis, and symbolic model checking to analyze 
systems beyond the scope of each separate analysis technique. 

The main goal of the present work is to propose a new symbolic technique that 
seamlessly combines the powers of rewriting modulo theories, SMT solving, and 
model checking. For brevity, this technique is called rewriting modulo SMT , although 
it could more precisely be called “rewriting modulo SMT+H,” where B is any 
equational theory having a matching algorithm. It complements, and has similarities 
with, another symbolic technique combining narrowing modulo theories and model 
checking, namely, narrowing-based reachability analysis [24] and its extension to 
symbolic LTL model checking [7]. 

Rewriting modulo SMT can be usefully applied to increase the power of equa- 
tional reasoning, but its full power (including its model checking capabilities) is best 
exploited when applied to concurrent open systems. The key point is that determin- 
istic systems can be naturally specified by equational theories, but specification of 
concurrent, non-deterministic systems requires rewrite theories [21], that is, triples 
1Z = (X, E , R) with (X, E) an equational theory describing system states as elements 
of the initial algebra 7 s/Ej and R rewrite rules describing the system’s local con- 
current transitions. Although extensive experience and many tools exist to specify 
and analyze concurrent systems in this way (see the survey [23] ) , the specification of 
concurrent open systems remains quite challenging. However, as explained below, 
specification and analysis of open systems becomes easy and unproblematic with 



rewriting modulo SMT. 

An open system is a concurrent system that interacts with an external, non- 
deterministic environment. When such a system is specified by a rewrite theory 
1Z = (X,E, R), it has two sources of non-determinism, one internal and the other 
external. Internal non-determinism comes from the fact that in a given system state 
different instances of rules in R may be enabled, and the local transitions thus 
enabled may lead to completely different states. What is peculiar about an open 
system is that it also has external , and often infinitely-branching, non-determinism 
due to the environment. That is, the state of an open system must include the 
state changes due to the environment. Technically, this means that, while a sys- 
tem transition in a closed system can be described by a rewrite rule t—>t/ with 
vars(t')Cvars(t) , a transition in an open system is instead modeled by a rule of the 
form tflxf)—, >t'(x, y), where if represents fresh new variables. Therefore, a substi- 
tution for the variables if^Slf decomposes into two substitutions, one, say 9 , for the 
variables Itf under the control of the system, and another, say p, for the variables if 
under the control of the environment. In rewriting modulo SMT such open systems 
are described by conditional rewrite rules of the form t(x) — > t'(~xf,lf) if 4> , where 
<f> is a constraint solvable by an SMT solver. This constraint (f> may still allow the 
environment to choose an infinite number of substitutions p for the variables l/, but 
can exclude choices that the environment will never make. 

The non-trivial challenges of modeling and analyzing open systems can now be 
better explained. They include: (1) the enormous and possibly infinitary non- 
determinism due to the environment, which typically renders finite-state model 
checking impossible or unfeasible; (2) the impossibility of executing the rewrite 
theory 1Z = (X, E , R ) in the standard sense, due to the non-deterministic choice of 
p; and (3) the in general undecidable challenge of checking the rule’s condition (f > , 
since without knowing p, the condition c f>9 is non-ground, so that its .E-satisfiability 
may be undecidable, even for E confluent and terminating. As further explained 
in the paper, challenges (l)-(3) are all met successfully by rewriting modulo SMT 
because: (1) states are represented not as concrete states (i.e., ground terms) but 
as symbolic constrained terms (t ; <p) with t a term with variables ranging in the 
domain(s) handled by the SMT solver and <p an SMT-solvable formula, so that the 
choice of p is avoided; (2) rewriting modulo SMT can symbolically rewrite such pairs 
(t ; <p) (describing possibly infinite sets of concrete states) to other pairs ( t 1 ; <p'); and 
(3) decidability of (j>9 (more precisely of <p A (f>6) can be settled by invoking an SMT 
solver. 

How rewriting modulo SMT is seamlessly integrated with a symbolic style of 
model checking for infinite-state systems, thus combining the power of rewriting, 
SMT solving, and model checking, is also worth explaining. The essential point 
(further expanded in Section 5) is that, by exploiting the fact that rewriting logic is 
reflective [14], rewriting modulo SMT can be reduced to standard rewriting. Specif- 
ically, this means that all the techniques, algorithms, and tools available for model 
checking closed systems specified as rewrite theories, such as Maude’s search-based 
reachability analysis [13], become directly available to perform symbolic reachability 
analysis on systems that are now infinite-state. This is illustrated by the formal 
analysis of an infite-state real-time system outside the scope of timed-automata 
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techniques in Section 6 . 

Contributions. The contributions of this paper can be summarized as follows: (1) 
it presents rewriting modulo SMT as a new symbolic technique combining the powers 
of rewriting, SMT solving, and model checking; (2) this combined power can be 
applied to model and analyze systems outside the scope of each individual technique; 
(3) in particular, it is ideally suited to model and analyze the challenging case of open 
systems', and (4) because of its reflective reduction to standard rewriting, current 
algorithms and tools for model checking closed systems can be reused in this new 
symbolic setting without requiring any changes to their implementation. 

2 Preliminaries 

We recall notation on terms, term algebras, and equational theories as in [6,18]. 

An order-sorted signature £ is a tuple £=(£,<, F) with a finite poset of sorts 
( S , <) and set of function symbols F. The binary relation =< denotes the equiv- 
alence relation generated by < on S and its point-wise extension to strings in S*. 
The function symbols in F can be subsort-overloaded and satisfy the condition that, 
for (w, s), (w 1 , s') G S* x S, if / G F WjS nF w > tS i, then w=<w' implies s=<s' . A top 
sort in £ is a sort s G S such that if s' E S and s =< s' , then s' < s. For any sort 
s E S, the expression [s] denotes the connected component of s, that is, [s] = [s] . 

The variables X are an S'-indexed family X={A s } sS 5 of disjoint variable sets 
with each X s countably infinite. The set of terms of sort s is denoted T^(X) S and 
the set of ground terms of sort s is denoted T^ jS . Ts(X) and 7s denote the cor- 
responding order-sorted £-term algebras. All order-sorted signatures are assumed 
preregular [18], i.e., each S-term has a least sort ls(t)€S s.t. tETj^(X)i s uy For S'CS, 
a term is called S' -linear if no variable with sort in S' occurs in it twice. The set of 
variables of t is written vars(t). 

A substitution is an S'-indexed mapping 6 : X — > Tj^(X) that is different from 
the identity only for a finite subset of X. The identity substitution is denoted by id 
and 9\y denotes the restriction of 6 to a family of variables Y Cl. dom(9 ) denotes 
the domain of 9, i.e., the subfamily of X for which 9(x) / x, and ran(9) denotes 
the family of variables introduced by 9{x), for x E dom(9). Substitutions extend 
homomorphically to terms in the natural way. A substitution 9 is called ground iff 
ran{9 ) = 0. The application of a substitution 9 to a term t is denoted by t9 and 
the composition of two substitutions 9\ and 9 2 is denoted by 9\9<2- A context C is a 
A-terrn of the form C = Aaq, . . . , x n .c with c E Ty,(X) and {aq, . . . , x n } C vars(c); it 
can be viewed as a n-ary function C(t \, . . . , t n ) = c9, where 9{xi) = U for 1 < i < n 
and 9(x) = x otherwise. 

A S - equation is an unoriented pair t = u with t G T^(X) St , u G T^(X) Su , 
and st =< s u . A conditional Y-equation is a triple t = u if 7 , with t = u a In- 
equation and 7 a finite conjunction of S-equations; it is called unconditional if 7 
is the empty conjunction. An equational theory is a tuple (S ,E), with £ an order- 
sorted signature and E a finite collection of (possibly conditional) £-equations. 
We assume throughout that Ty;^ / 0 for each s G S, because this affords a simpler 
deduction system. An equational theory £ = (Y,E) induces the congruence relation 
=£ on Tvjpf) defined for t, u G T^iX) by t =g u iff £ h t = u by the deduction 
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rules for order-sorted equational logic in [22]. Similarly, =/ denotes provable in- 
equality in one step of deduction. The £ -subsumption ordering <Cf is the binary 
relation on T^(X) defined for any t, u £ T E (X) by t <C£ u iff there is a substitution 
9 : X — y Tr{X) such that t =s uO. A set of equations E is called collapse-free for 
a subset of sorts S' C S iff for any t = u E E and any substitution 9 : X — y T E (X) 
neither t0 nor u9 are a variable for some sort s £ S'. 7s (X) and 7s (also written 
7 s/_e(^) and Tz/e) denote the quotient algebras induced by =s on the term algebras 
Tz(X) and 7s, respectively; 7s / E is called the initial algebra of ( E,E ). A theory 
inclusion (£,£?) C ( T/,E '), with E C S' and E C E ' , is called protecting iff the 
unique E-homomorphism T^/e — y 7s'/b'|s to the E-reduct of the initial algebra 
7 s'/e' is a E-isomorphism, written 7 s/_b — 7h'/E'\z- A set of equations E is called 
regular iff vars(t) = vars(u ) for any equation t = u if 7 £ E. 

Appropriate requirements are needed to make an equational theory £ admissible, 
i.e. , executable in rewriting language such as Maude [13]. It is assumed that the 
equations of £ can be decomposed into a disjoint union E 1+) B, with B a collection 
of structural axioms (such as associativity, and/or commutativity, and/or identity) 
for which there exists a matching algorithm modulo B producing a finite number of 
77-matching solutions, or failing otherwise, and that the equations E can be oriented 
into a set (of possibly conditional) sort-decreasing, operationally terminating, and 
confluent conditional rewrite rules 7? modulo B. 7^ is sort decreasing modulo B iff 
for each t — > u if 7 £ and substitution 6, ls(t9) > ls(u9) if (E ,77,7^) b 7 9. Is 
is operationally terminating modulo B iff there is no infinite well-formed proof tree 
in (E,77, 7^). 7^ is confluent modulo B iff all t,t\,t 2 £ T%(X), if t ~^* E / B t\ and 
t —>* E / B t, 2 , then there is u £ T E (X) such that t\ —y * E , B u and t ‘2 ~^* E / B u. The term 
tf e/b^ 7~s (X) denotes the E -canonical form of t modulo B so that t ~^* E / B t f E / B 
and t f B /B cannot be further reduced by — > e /b ■ Under the above assumptions 
tfs/B is unique up to 71-equality. 

A E -rule is a triple l — y r if with l,r £ T^(X) S , for some sort s £ S, and 
f> = Aie/ U = u i a Suite conjunction of E-equations. A rewrite theory is a tuple 
7 Z = (E,E,R) with ( £1,E ) an order-sorted equational theory and R a finite set of 
E-rules. 77 induces a rewrite relation on T%(X) defined for every t, u £ T%(X) 
by t ->7 1 u iff there is a rule (l — y r if <f) £ R and a substitution 9 : X — y T^(X) 
satisfying t = E 19, u =e r9, and E h <p9. Relation —>7^ is undecidable in general, 
unless conditions such as coherence [35] are given. A key point of this paper is to 
make such a relation decidable when E decomposes as Sq^SBi, where £0 is a built-in 
theory for which formula satisfiability is decidable and B\ has a matching algorithm. 
A topmost rewrite theory is a rewrite theory 77 = (E, E, R), such that for some top 
sort State, no operator in E has State as argument sort and each rule l — y r if £ R 
satisfies l,r £ T^(X)state an d l X. 


3 Rewriting Modulo a Built-in Subtheory 

The concept of rewriting modulo a built-in equational subtheory is presented. In 
particular, the notion of rewrite theory modulo a built-in subtheory and its ground 
rewrite relation are introduced. A canonical representation for rewrite theories mod- 


4 



ulo built-ins is proposed, and some basic results are proved. 

Definition 1 (Signature with Built-ins). An order-sorted signature S = ( S,<,F ) 
is a signature with built-in subsignature So C X iff Ho = (So, To) is many-sorted, 
Sq is a set of minimal elements in (S, <), and if f : w — > s £ F\, then s ^ So and 
f has no other typing in Fq, where F\ = F\Fq. 

The notion of built-in subsignature in an order-sorted signature S is modeled 
by a many-sorted signature So defining the built-in terms T^ 0 (X o). The restriction 
imposed on the sorts and the function symbols in S w.r.t. So provides a clear 
syntactic distinction between built-in terms (the only ones with built-in sorts) and 
all other terms. 

If S D So is a signature with built-ins, then an abstraction of built-ins for t is a 
context Axi • • • x n .t° such that t° £ ( X ) and {xi, . . . , x n } = vars(t°) n Xq, where 

Si = (S', <,T\) and Xo = {Tf s } s6 s 0 . Lemma 1 shows that such an abstraction can 
be chosen so as to provide a canonical decomposition of t with useful properties. 

Lemma 1. Let S be a signature with built-in subsignature So = (So, To). For each 
t £ Ty,(X), there exist an abstraction of built-ins Axi ■ ■ ■ x n .t° fort and a substitution 
9° : Xo — > T^ 0 (X o) such that (i) t = t°9, (ii) {x\, . . . ,x n } are pairwise distinct 
and disjoint from vars(t), and (in) 9(x) = x if x / Xi, for 1 < i < n; moreover, 
(iv) t° can always be selected to be So-linear and with {xi, . . . , x n } disjoint from an 
arbitrarily chosen finite subset Y of Xo- 

Proof. By induction on the structure of t. □ 

In the rest of the paper, for any t £ T%(X) and Y C Xq finite, the expres- 
sion abstract^ (t,Y) denotes the choice of a triple (Axi • • ■ x n .t° ;9° ;</>°) such that 
the context Axi ■ ■ ■ x n .t° and the substitution 9° satisfy the properties (i)-(iv) in 
Lemma 1, and f>° = /\” =1 (x* = 9°(xi)). 

Under certain restrictions on axioms, matching a S-term t to a S-term u, can 
be decomposed modularly into Si-matching of the corresponding A-abstraction and 
So-matching of the built-in subterms. This is described in Lemma 2. The proof of 
this lemma uses the following corollary. 

Corollary 1. Let S = ( S,<,F ) be a signature with built-in subsignature So = 

(So, To). Let Bo be a set of Ho-axioms and B\ a set of Hi-axioms. For Bo and B\ 

regular, linear, collapse free for any sort in So, and sort-preserving, and t. £ T^(Xo): 

(a) iftG Te 0 (AT| o) and t = 1 Bi t' , then t = t' ; 

(b) iftE Ts 1 (Xo) and t = 1 Bo t' , then t = t' ; 

(c) iftG Ts 1 (Xo) and t = Bi t' , then vars(t) = varsft') and t is linear iff t! is so; 
Proof. 

(a) Axioms B\ do not mention any function symbol in To. Therefore, the equation 
in B 0 can only apply to variables in Xo- But B\ is collapse- free for any sort in 
So, so that no B\ equation can be applied to t, forcing t = t' . 
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(b) Same argument as (a). 

(c) Trivial consequence of B\ being regular and linear. 


□ 

Lemma 2. Let S = ( S , <, F) be a signature with built-in subsignature So = (So, Fq). 

Let Bo be a set of Tio-axioms and B\ a set of E\-axioms. For Bo and B\ regular, 

linear, collapse free for any sort in So, and sort-preserving, if t £ T^ 1 (X { o) is linear 

with vars(t ) = {aq, . . . ,x n }, then for each 6 : Xq — > T^ 0 (X q): 

(a) if td = 1 Bq t! , then there exist x £ {aq, . . . , x n } and w £ T^ 0 (Xo) such that 
9(x) = l Bo w and t! = td' , with 9'{x) = w and 9'{y) = 6(y) otherwise; 

(b) if tO = B t' , then there exists v £ T% 1 (Xo) such that t = Bi v and t! = vO; and 

(c) if t6 =b 0 wb 1 t! , then there exist v £ T^(X o) and O' : Xq — > Ts^ 0 (X o) such that 
t! = vO' , t =b 1 v, and 0 =b 0 O' (i.e., 0(x ) =b 0 9'(x) for each x £ Xq). 

Proof, (a) It follows from Corollary 1 part (b) that Bo can only be applied on some 
built-in subterm 9(x) of tO, for some x £ dom(O). That is, there is w & T^ 0 (X, o) 
such that 9(x) = B(j w and, since t is linear, t' = tO', where 9'(x) = w and 
0'(x) = 0{x) otherwise. 

(b) It follows from Corollary 1 part (c) that equational deduction with B\ can only 
permute the built-in variables in t and it does not equate built-in subterms 
such as the ones in ran(0). Hence, by Corollary lpart (c), there exists a linear 
v £ Ts 1 (X| o) such that t = Bi v and t’ = vO. 

(c) Follows by induction on the proof’s length in Bo tfcl B±. 

□ 


Definition 2 introduces the notion of rewriting modulo a built-in subtheory. 

Definition 2 (Rewriting Modulo a Built-in Subtheory). A rewrite theory modulo 

the built-in subtheory £q is a topmost rewrite theory TZ = ( H,E,R ) with: 

(a) S =(S,<,F) a signature with built-in subsignature So=(S'o,i 7 b) and top sort 
Stated S; 

(b) E = Eq W Bo W B\, where Eq is a set of So- equations, Bo (resp., B\) are 
So -axioms (resp., Ei-axioms) satisfying the conditions in Lemma 2, £q = 
(So, Lb C Bo) and £ = (S ,E) are admissible, and the theory inclusion £q C £ 
is protecting; 

(c) R is a set of rewrite rules of the form l(x i, 1 f) — > r( X 2 , V) */</*( %t) such that 
l,r £ Tz{X)state, l is (S\ So) -linear, ilrst with £ Sq, fori £ {1, 2,3}, l?:!? 
with it £ (S \ So)*, and <f> £ QF- Sq (Xo), where QF Ti0 (X o) denotes the set of 
quantifier-free Eo-formidas with variables in Xq. 
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Note that, due to the presence of conditions f hi the rules of 7 Z that are general 
quantifier-free formulas, as opposed to a conjunction of atoms, properly speaking TZ 
is somewhat more general than a standard rewrite theory as defined in Section 2. 

The binary rewrite relation induced by a rewrite theory TZ modulo So on state 
is called the ground rewrite relation of TZ. 

Definition 3 (Ground Rewrite Relation). Let TZ = (T,,E,R) be a rewrite theory 
modulo Sq- The relation —tn induced by TZ on Testate is defined for t,u e TV ;, State 
by t — >7 z a iff there is a rule l -A r if f in R and a ground substitution a : X — > TV; 
such that (a) t =e ler, u =e ra, and (b) Tg 0 |= fa. 

The ground rewrite relation — ^ is the topmost rewrite relation induced by R 
modulo E on Ts state- This relation is defined even when a rule in R has extra 
variables in its righthand side: the rule is then non-deterministic and such extra 
variables can be arbitrarily instantiated, provided that the corresponding instanti- 
ation of f holds. Also, note that non built-in variables can occur in l, but fa is a 
variable-free formula in <3-T So (0), so that either Ts 0 \= fa or Ts 0 \f= fa. 

A rewrite theory 7Z modulo So always has a canonical representation in which 
all left-hand sides of rules are linear Si -terms. 

Definition 4 (Normal Form of a Rewrite Theory Modulo So)- Let 7Z = ( T,,E,R ) 
be a rewrite theory modulo So- Its normal form TZ° = (S ,E,R°) has rules: 

R° = {1° — ► r iff A (f>° | (3 l—>riffG R)(ATf.l° ; 0° ; f°) = abstracted vars({l, r, </>}))}. 

Lemma 3 (Invariance of Ground Rewriting under Normalization). LetIZ = (S, E, R) 
be a rewrite theory modulo So ■ Then — ■ 

Proof. We show that — >k C — and — >n° C —>7^. 

(C) Let t,u G Te, state- If t u, then there is a rule (l —^riftfi) £ J? and a 
ground substitution a : X — > T^ such that t =e ler, u =e rcr, and Ts 0 |= <pa. 
It suffices to prove t — u with witnesses [1° — > r if fi A fi°) 6 R° and 
p = 9° a. Note that t =e ler = l°9°a = 1° p. For Ts 0 \= {<t> A fi°)p first note 
that Ts 0 |= fp since cj>p = 4>9°cr = fa (because vars(fi) n dom(9°) = 0) and 
Ts 0 |= fa by assumption. For Ts 0 \= f°p notice that 9°9° = 9° because 
ran(9°) n dom{9°) = 0, and then: 

( n \ n n 

f\xi = 9°(xi) j p= f\xi.p = 9°{xi)p = f\ 9 0 (xf)a = 9°(xi)9°a 

i= 1 / i= 1 i= 1 

n 

= f\ 9°(xi)a = 9°(xi)a = T. 

1=1 

Hence t -a-r.° u as desired. 

(A) Let t, u E T-z, state- If t -Afi u, then there is a rule (/ — > r if f) G R and 
a ground substitution a : X — > Ty; such that t =e l°cr, u =e ra , and 
Ts 0 |= (f A f°)a. It suffices to prove t —t-jz u with witness (l -A r if f) E R. 
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Let (Ax'i • • • x n .l° ; 0° ; <j>°) be the abstraction of built-ins for l. Substitution a 
can be decomposed into substitutions 0 : Xq — > Tv 0 (X q) and p : X — > Ts, 
with 9(x ) = a(x) if x £ {xi,...,x n } and 9(x) = x otherwise, such that 
a = Op. From Ts 0 \= (</> A 4>°) a it follows that Ts 0 |= 4>cr, i-e., Ts 0 |= ftp because 
vars((f) n dom(0 ) = 0. Also, it follows that Ts 0 |= A/Li ®{ x i)P = d°(xi)p which 
implies that: 


t =e 1° a = l°0p =e 0 \&b 0 l°0°p = Ip. 
Hence t u, as desired. 


□ 

By the properties of the axioms in a rewrite theory modulo built-ins 1Z = (X, Eq\S 
Bq l±J B i), B i -matching a term t £ T^(Xq) to a left-hand side 1° of a rule in R° 
provides a complete unifiability algorithm for ground Bi-unification of t and 1° . 

Lemma 4 (Matching Lemma). Let 1Z = (X, Eq tt) Bq l±J B\,R) be a rewrite theory 
modulo So. For t £ Te(Xq) state and 1° a left-hand side of a rule in R° such that 
vars(t) n vars(l°), t <C_b x 1° iff GUs 1 (t = 1°) / 0 holds, where GUB 1 {t = 1°) = {cr : 
X — >• | ta = Bl l°a}. 

Proof. 

(=A If t <Cs x 1°, then t = Bl l°0 for some 6 : X — > Ts(X). Let p : X — > T s be 
any ground substitution. Then Op £ GU Bl (t = 1°). 

(<=) Let a £ GU Bl (t = l °) with l -> r if <f> £ i?. Let vars(l°) n Xo = {.xi, . . . ,x n j 
and Xi = X \ Xo- Note that there are substitutions 

a : vars(l ° ) fl X\ — > 
p : X \ dom{a) — > Tv; 

satisfying a = ap and such that ( l°a ) £ TsAATo) is linear and ran(l°a ) n 
( vars{t,l ° )) = 0. Let ran(a) = {yi, . . . ,y m }. Therefore, by Lemma 2, there 
exists u £ TsAAq) such that u = Bl l°a , u is linear, and vars(u) = vars(l°a) = 
x \, . . . , x n , 2 / 1 , . . . , y rn , and up = t. Moreover, t can be written as 

U(h , ■ ■ ■ , t n , t-n+l i ■ ■ • i tn+ni ) 

with L £ T So (X o). Define 0 : X 0 — > Tv 0 (X 0 ) by 0(x) = L if x £ {xi, . . . ,x n }, 
0(x) = ti +n if x £ { 2 / 1 , • • • , Vm}, and 0(x) = x otherwise. Then we have: 

t — u(t \ , . . . , t n , t n - )_i, • • • , tm+n) 

= u(xi, . . -,x n ,yi , . . . , y m )0 
= Bl l°aO. 

Therefore, f <Cs x Z°, as desired. 
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4 Symbolic Rewriting Modulo a Built-in Subtheory 

We explain how a rewrite theory 7 Z modulo To defines a symbolic rewrite relation 
on terms in T^ 0 (Xq) state constrained by formulas in QF-^ 0 {X o). The idea is that, 
when To is a decidable theory, transitions on the symbolic terms can be performed 
by rewriting modulo B i, and satisfiability of the formulas can be handled by an 
SMT decision procedure. This approach provides an efficiently executable symbolic 
method called rewriting modulo SMT that is sound and complete with respect to the 
ground rewrite relation of Definition 3 and yields a complete symbolic reachability 
analysis method. 

Definition 5 (Constrained Terms and their Denotation). Let IZ = ( T,,E,R ) be 
a rewrite theory modulo £q. A constrained term is a pair ft] ip) in TV;(Ao ) state x 
QF^ q {X o). Its denotation [[tj^ is defined as 

= tfeT^state I (3cr : X 0 — >T So ) t'=ta A T £o |= per}. 

The domain of a in Definition 5 ranges over all built-in variables Xq and conse- 
quently c state for any t € Tz(X 0 ) S tate , even if vars{t ) % varsfp). Intuitively, 
denotes the set of all ground states that are instances of t and satisfy <p. 

Before introducing the symbolic rewrite relation on constrained terms induced by 
a rewrite theory 7 Z modulo To, auxiliary notation for variable renaming is required. 
In the rest of the paper, the expression fresh-vars(Y), for Y C X finite, represents 
a variable renaming ( : X — > X satisfying Y n ran{() = 0. 

Definition 6 (Symbolic Rewrite Relation). Let IZ = ( Y,E,R ) be a rewrite theory 
modulo built-ins To- The symbolic rewrite relation z induced by IZ on T^(Xq) state* 
QF Eq (X o) is defined for t,u G T^{X 0 ) state and ip, ip' 6 QF^ q (X 0 ) by (t;(p) 

(u ; ip') iff there is a rule l — >• r if <f> in R and a substitutio?i 6 : X — > T^(X) such 
that (a) t =e 1(6 and u = r(6, (b) To b {ip' 4A ip A<j)(9), and (c) ip' is Ts 0 - satis fiable, 
where ( = fresh-vars{vars(t, ip)). 

The symbolic relation on constrained terms is defined as a topmost rewrite 
relation induced by R modulo E on Ty,{X q) with extra bookkeeping of constraints. 
Note that tp' in (t ; <p) { u ; ip'), when witnessed by l — > r if and 6 , is seman- 

tically equivalent to ip A <t>(6, in contrast to being syntactically equal. This extra 
freedom allows for simplification of constraints if desired. Also, such a constraint tp 1 
is satisfiable in T £o , implying that p> and i f>6 are both satisfiable in T £o , and therefore 
0/ Mv?'- Note that, up to the choice of the semantically equivalent ip' for 
which a fixed strategy is assumed, the symbolic relation is deterministic be- 
cause the renaming of variables in the rules is fixed by fresh-vars. This is key when 
executing as explained in Section 5. 

The important question to ask is whether this symbolic relation soundly and 
completely simulates its ground counterpart. The rest of this section answers this 
question in the affirmative for normalized rewrite theories modulo built-ins. Thanks 
to Lemma 3, the conclusion is therefore that soundly and completely simulates 
— 7 -r. for any rewrite theory IZ modulo built-ins Tq. 
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The soundness of w.r.t. is stated and proved in Theorem 1. Intu- 

itively, soundness means that a pair (t ; p) ( u ; p') is a symbolic underapproxi- 
mation of all pairs such that t! -^n° u ’ with t' G and u! G 

Theorem 1 (Soundness). Let TZ = (£, E , R ) 6e a rewrite theory modulo built-ins £q, 
t,u G Tx(X 0 ) state, and p,p' G QF So pf 0 ). If {t-p) (u;p'), then tp -+ n ° up 

for all p : X 0 — > T So satisfying Ts 0 \= p/p. 

Proof. Let p : Xq — > T^ 0 satisfy Ts 0 |= <p'p. The goal is to show that tp up. 
Let 1° — > r if f G R° and 9 : Xq — > Tq(Xq) witness (t ; p) (w,p'). Then 

t =e l°(0, u =e r(9, £q L (p' p A f(9), and p' is 7f 0 -satisfiable. Without 
loss of generality assume that 9 \ vars (t,p) = id\vars(t,<p) an( A let a = (@P- Then note 
that tp =e ( l°(9)p = l°(9p = l°a and up =e (r(9)p = r(9p = ro. Moreover, 
Te 0 |= ((p' p A f(9) and Ts 0 |= p'p imply Ts 0 |= <f>(0p, i.e., Ts 0 \= fa. Therefore, 
tp up , as desired. □ 

The completeness of ^>ti° w.r.t. is stated and proved in Theorem 2, which 
is a “lifting lemma” . Intuitively, completeness states that a symbolic relation yields 
an over-approximation of its ground rewriting counterpart. 

Theorem 2 (Completeness). Let TZ = (T,,E,R) be a rewrite theory modulo built-ins 
£o, t G Tz{X 0 ) state, u' G Te, state, and p G QF^ 0 (X 0 ). For any p : X 0 — > T So such 
that tp G [[t]]^ and tp — v! , there exist u G T^Xq) state and <p' G QF^ q (X q) such 
that (t ■ p) (u ; p') and u' G 

Proof. By the assumptions there is a rule ( l ° —y r if f) G R° and a ground substi- 
tution a : X — y T s satisfying tp =e l°cr, u! =e ra, and Ts 0 |= fa. Without loss of 
generality assume vars(t, p) n vars(l°,r, f)) = 0; otherwise l,r,f can be renamed by 
means of fresh-vars. Furthermore, a = p can be assumed. The goal is to show the 
existence of u G T^(X) state and p' G QF^ 0 (Xq) such that (i) (t ; p) {u ; p') and 

(ii) u' G [['«] . Since 1° is linear and built-in subterms are variables, by Lemma 2 
there exists a : X — y TV; satisfying ta =b 1 l°ot. Hence GUs 1 (t = 1°) ^ 0 and, 
by Lemma 4, there exists 9' : X — y Ty(X) satisfying t =B\ l°9' and a fortiori 
t =_E 0 hj_B 0 i±)B 1 l°9' . Let 9 : X — y Te(X) be defined by 6{x) = 6'{x) if x G vars(l ) 
and 6{x) = p(x) otherwise. Note that 9\ vars mp =e 0 \&b 0 p\vars(l)- Define u = r9 and 
p' = p A f9. and then for (i) and (ii) above: 

(i) It suffices to prove that Ts 0 (= p'p, i.e., Ts 0 |= ( p A f9)p. By assumption 
T £o |= pp and Ts 0 |= fp. Notice that: 

f@P (f@\vars(l)')P -EoWBo i.fp)P fP" 


Hence Ts 0 |= < f)9p . 

(ii) By assumption v! =_e 0 i+)_b 0 i±)B 1 rp\ also: 

U p i?oW-5oWi?i u9\vars(l)P lOp Up. 

Hence u' =e 0 ub 0 wb 1 up G {uj^ by part (i). 


10 



□ 


Although the above soundness and completeness theorems, plus Lemma 3, show 
that —i"K is fully characterized symbolically by ~^>n ° , for any rewrite theory 7 Z mod- 
ulo £q, because of condition (6) in Definition 6, the relation ~^>n° is in general 
undecidable. However, becomes decidable for built-in theories £q that can be 
extended to a decidable theory £ff (typically by adding some inductive consequences) 
such that: 

(V0 G QF Eo (X 0 )) 4> is <?o"-satisfiable <=>• (3cr : X 0 — > T So ) Te 0 \= fa. (1) 

Many decidable theories £ff of interest are supported by SMT solvers satisfying 
this requirement. For example, £q can be the equational theory of natural number 
addition and £ q" Pressburger arithmetic. That is, Te 0 is the standard model of 
both £q and £ff , and ^-satisfiability coincides with satisfiability in such a standard 
model. Under such conditions, satisfiability of (p/\f(fd (and therefore of ip') in a step 
(t ■ p) (it ; ip’) becomes decidable by invoking an SMT-solver for £q, so that ~^>n° 
can be naturally described as symbolic rewriting modulo SMT (and modulo B i). 

The symbolic reachability problems considered for a rewrite theory 7 Z modulo 
£q in this paper, are existential formulas of the form (EH/*) t — >* u A ip, with ~ff 
the variables appearing in t, u, and cp, t G T^(X 0 )state, u G T^(X)state, and <p G 
QF T:o (X o). By abstracting the So-subterms of u, the ground solutions of such a 
reachability problem are those witnessing the model-theoretic satisfaction relation: 

T n |= (31? W f) t(l?) u°(f) A ^i(^) A <p 2 (lt, f) (2) 

where Tn = (7s/_Ej“A^) is the initial reachability model of 1Z [11], tGTy;(X) and 
u°gTs 1 (X) are S'o-linear, vars(t) C x C Xq. and ^CI, Thanks to the soundness 
and completeness results, theorems 1 and 2, the solvability of Condition (2) for — >n 
can be achieved by reachability analysis with ~-^>n°- This is stated and proved in 
Theorem 3. 

Theorem 3 (Symbolic Reachability Analysis). Let 7Z = ( T,,E,R ) be a rewrite 
theory modulo built-ins £q. The reachability problem in Condition (2) has a solution 
iff there exist a term v G Ts^(X) state, « constraint pJ G QF^lXf), and a substitution 
0 : X — > Ty;(A), with dom(9) C iff, such that (a) (t;(p i) (v,<p'), (b) v =b 1 

u°6, and (c) ip' A p>-20 is Ts 0 -satisfiable. 

Proof. By theorems 1 and 2, and induction on the length of the rewrite derivation. 

□ 

In Theorem 3, since dom(6 ) C l/, and it and if are disjoint, the variables of if 
in (p 2 & are left unchanged. Therefore, ip 2 9 links the requirements for the variables x 
in the initial state and if in the final state according to both <p\ and p >2 ■ Also note 
that the inclusion of formula p>\ as a conjunct in the formula in Condition (3) of 
Theorem 3 is superfluous because (t;pi) ~^n° (v ; p') implies that p\ is a semantic 
consequence of <p' . 
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5 Reflective Implementation of -w^o 


The design and implementation of prototype that offers support for rewriting modulo 
SMT in the Maude system are discussed. The prototype relies on Maude’s meta- 
level features, that implement rewriting logic’s reflective capabilities, and on SMT 
solving for T q" integrated in Maude as CVC3’s decision procedures. The extension of 
Maude with CVC3 is available from the Matching Logic Project [33]. In the rest of 
this section, 1Z = (£, Eq l+J Bq l+J B\,R) is a rewrite theory modulo built-ins To, where 
To satisfies Condition (1) in Section 4. The theory mapping 1Z +->• u(TZ) removes the 
constraints from the rules in R and interprets the built-in variables Xq as constants. 

In Maude, reflection is efficiently supported by its META-LEVEL module [13], 
which provides key functionality for rewriting logic’s universal theory U [14], Rewrite 
theories 7Z are meta-represented in U as terms 7Z of sort Module , and a term t in 
7Z is meta-represented in U as a term t of sort Term. The key idea of the reflective 
implementation is to reduce symbolic rewriting with to standard rewriting 

in an associated reflective rewrite theory extending the universal theory U. This 
is specially important for formal analysis purposes, because it makes available to 
some formal analysis features provided by Maude for rewrite theories such as 
reachability analysis by search. This is illustrated by the case study in Section 6. 

The prototype defines a parametrized functional module SAT(Fq,Eq l+J Bft of 
quantifier-free formulas with So-equations as atoms. This module extends (So, Eq\& 
Bq) with new sorts Atom and QFFormula, and new constants var(X o) identifying the 
variables Xq. It has, among other functions, a function sat : QFFormula — > Bool 
such that for <f>, sat{ft) = T if </> is Tq" - satisfiable, and sat{ft) = T otherwise. 

The process of computing the one-step rewrites of a given constrained term 
(t ■ p ) under is decomposed into two conceptual steps using Maude’s metalevel. 

First, all possible triples (u\9 -,ft) such that t —t u (n°) u is witnessed by a matching 
substitution 6 and a rule with constraint cj) are computed 1 . Second, these triples 
are filtered out by keeping only those for which the quantifier-free formula p A(f>9 is 
Tq 1 -satisfiable. 

The first step in the process is mechanized by function next, available from the 
parametrized module NEXTQZ, State , QFFormula ) where 1Z , State, and QFFormula 
are the metalevel representations, respectively, of the rewrite theory module 7 Z, the 
state sort State, and the quantifier-free formula sort QFFormula. Function next 
uses Maude’s meta-match function and the auxiliary function new-vars for comput- 
ing fresh variables (see Section 4). The call 

next(((S, <,F l+J var(X o)), Eq l+J Bq l±J B\, R°),t, Tp) 

computes all possible triples (u]9'; ft) such that t u is witnessed by a substi- 
tution 9' and a rule with constraint ft . More precisely, such a call first computes a 
renaming ( = fresh-vars{vars{t,<p)) and then, for each rule(/° — > r if ft), it uses the 
function meta-match to obtain a substitution 

9 e meta-match(((S, <, F l+J var(X 0 )), B 0 l+J BQ, tl Eo/Bol±)Bl , l°(), 

1 Note that in u(JZ°) variables in Xo are interpreted as constants. Therefore, the number of 
matching substitutions 9 thus obtained is finite. 
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and returns (u;6' ; (j)') with u = r£0, O' = £8, and fi' = 4>(0. Note that by having a 
deterministic choice of fresh variables (including those in the constraint), function 
next is actually a deterministic function. 

Using the above-mentioned infrastructure, the parametrized module NEXT im- 
plements the symbolic rewrite relation as a standard rewrite relation in the 

theory NEXT, extending META-LEVEL , by means of the following conditional 
rewrite rule: 

ceq (X -.State ; (p: QFFormula) -» (Y -.State ; ip 1 : QFFormula) 
if (Y ; 0 ; (fi) S := next(lZ % , X, Jp) A A (fi) = T A := p A 

where 7 Z* = (( S , <, El±lyar(Ao)), B, R°). Therefore, a call to an external SMT solver 
is just an invocation of the function sat in SAT( So, Eq l±J Bo) in order to achieve the 
above functionality more efficiently and in a built-in way. 

Given that the symbolic rewrite relation is encoded as a standard rewrite re- 
lation, symbolic search can be directly implemented in Maude by its search command. 
In particular, for terms t,u°, constraints pi,p 2 , F a variable of sort QFFormula, 
the following invocation solves the inductive reachability problem in Condition (2): 

search (t ; <p\) — >* (u° ; F) such that sat{F Aipfi)- 

6 Analysis of the CASH algorithm 

This section presents an example, developed jointly with Kyungmin Bae, of a real- 
time system beyond the scope of timed automata [2] that can be symbolically an- 
alyzed in the prototype tool integrating Maude and CVC3 described in Section 5. 
The analysis uses such a prototype to perform model checking based on rewriting 
modulo SMT. Some details are omitted; full details and the prototype tool can be 
found in [8]. 

The example involves the symbolic analysis of the CASH scheduling algorithm, 
developed by Caccamo, Buttazzo, and Sha [12], which attempts to maximize sys- 
tem performance while guaranteeing that critical tasks are executed in a timely 
manner. This is achieved by maintaining a queue of unused execution budgets that 
can be reused by other jobs to maximize processor utilization. CASH poses non- 
trivial modeling and analysis challenges because it contains an unbounded queue. 
Unbounded data types cannot be modeled in timed-automata formalisms, such as 
those of UPPAAL [20] or Kronos [37], which assume a finite discrete state. 

The CASH algorithm was specified and analyzed in Real-Time Maude by explicit- 
state model checking in an earlier paper by Olveczky and Caccamo [29], which 
showed that, under certain variations on both the assumptions and the design of 
the protocol, it could miss deadlines. But explicit-state model checking has intrin- 
sic limitations which the new analysis by rewriting modulo SMT presented below 
overcomes. The CASH algorithm is parametrized by: (i) the number N of servers 
in the system, and (ii) the values of a maximum budget bi and period p % , for each 
server 1 < i < N. Even if N is fixed, there are infinitely many initial states for 
N servers, since the maximum budgets bi and periods pi range over the natural 
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numbers. Therefore, explicit state model checking cannot perform a full analysis. 
If a counterexample for N servers exists, it may be found by explicit-state model 
checking for some chosen initial states, as done in [30], but it could be missed if the 
wrong initial states are chosen. 

Rewriting modulo SMT is useful for symbolically analyzing infinite-state systems 
like CASH. Infinite sets of states are symbolically described by terms which may 
involve user-definable data structures such as queues, but whose only variables range 
over decidable types for which an SMT solving procedure is available. For the 
CASH algorithm, the built-in data types used are the Booleans (sort iBool) and 
the integers (sort ilnt). Integer built-in terms are used to model discrete time. 
Boolean built-in terms are used to impose constraints on integers. 

A symbolic state is a pair {iB , Cnf } of sort Sys consisting of a Boolean constraint 
iB. with and denoted ~, and a multiset configuration of objects Cnf, with mutiset 
union denoted by juxtaposition, where each object is a record like-structure with 
an object identifier, a class name, and a set of attribute-value pairs. In each object 
configuration there is a global object (of class global) that models the time of the 
system (with attribute name time), the priority queue (with attribute name cq), 
the availability (with attribute name available), and a deadline missed flag (with 
attribute name deadline-miss). A configuration can also contain any number of 
server objects (of class server). Each server object models the maximum budget 
(the maximum time within which a given job will be finished, with attribute name 
maxBudget), period (with attribute name period), internal state (with attribute 
name state), time executed (with attribute name timeExecuted), budget time 
used (with attribute name usedOfBudget), and time to deadline (with attribute 
name timeToDeadline). The symbolic transitions of CASH are specified by 14 
conditional rewrite rules whose conditions specify constraints solvable by the SMT 
decision procedure. For example, rule [deadlineMiss] below models the detection 
of a deadline miss for a server with nonzero maximum budget. 


vars AtSG AtS : AttributeSet . 

var iB : iBool . 

var Cnf : Configuration . 

vars iT iT’ iNZT : ilnt . 

var St : ServerState . 

vars G S : Oid . 

var B : Bool . 


crl [deadlineMiss] : 

{ iB, < G : global | dead-miss |-> B, AtSG > 

< S : server | state | -> St, usedOfBudget |-> iT, 

timeToDeadline | -> iT’ , 
maxBudget | -> iNZT, AtS > Cnf } 

=> {iB ~ iT >= c (0) ~ iNZT > c (0) ~ iT’ > c(0) ~ iNZT > iT + iT’ , 

< G : global | dead-miss I -> true, AtSG > 

< S : server | state |-> St, usedOfBudget |-> iT, 

timeToDeadline | -> iT’ , 
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maxBudget I -> iNZT, AtS > Cnf } 
if St =/= idle /\ check-sat(iB ~ iT >= c(0) 

iNZT > c (0) ~ iT’ > c(0) ~ 

iNZT > iT + iT’) . 

That is, the protocol misses a deadline for server S whenever the value of attribute 
maxBudget exceeds the addition of values for usedOfBudget and timeToDeadline 
(i.e., iNZT > iT + iT’) , so that the allocated execution time cannot be exhausted 
before the server’s deadline. 

The goal is to verify symbolically the existence of missed deadlines of the CASH 
algorithm for the infinite set of initial configurations containing two server objects 
so and si with maximum budgets bo and b± and periods po and pi as unspecified 
natural numbers, and such that each server’s maximum budget is strictly smaller 
than its period (i.e., 0 < bo < po A 0 < b\ < pi). This infinite set of initial states is 
specified symbolically by the equational definition (not shown) of term symbinit. 
Maude’s search command can then be used to symbolically check if there is a 
reachable state for any ground instance of symbinit that misses the deadline: 

search in SYMBOLIC-FAILURE : symbinit =>* 

{ iB:iBool, Cnf : Conf iguration < g : global | 

AtS : AttributeSet , deadline-miss |-> true > } . 

Solution 1 (state 233) 

states: 234 rewrites: 60517 in 2865ms cpu 
(2865ms real) (21118 rewrites/second) 
iB:iBool — > ((i(0) <= c(0) 

i(l) <= c(0)) v i (0) <= c(0) + i(l) 

Cnf : Conf iguration — > 

< si : server | maxBudget | -> i(0), period | -> i(l), 

state | -> waiting, usedOfBudget | -> c(0), 
timeToDeadline | -> ((i(l) — c(l)) — c(l)), 
timeExecuted I -> c(0) > 

< s2 : server | maxBudget | -> i(2), period I -> i(3), 

state | -> executing, usedOfBudget |-> c(2), 
timeToDeadline | -> ((i(3) — c(l)) — c(l)), 
timeExecuted |-> c(2) > 

AtS : AttributeSet — > time | -> c(2), cq | -> emptyQueue, 

available | -> false 

A counterexample is found at (modeling) time two, after exploring 233 symbolic 
states in less than 3 seconds. By using a satisfiability witness of the constraint iB 
computed by the search command, a concrete counterexample is found by exploring 
only 54 ground states. This result compares favorably, in both time and compu- 
tational resources, with the ground counterexample found by explicit-state model 
checking in [29], where more that 52,000 concrete states where explored before find- 
ing a counterexample. 
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7 Related Work and Concluding Remarks 

The idea of combining term rewriting/narrowing techniques and constrained data 
structures is an active area of research, specially since the advent of modern theorem 
provers with highly efficient decision procedures in the form of SMT solvers. The 
overall aim of these techniques is to advance applicability of methods in symbolic 
verification where the constraints are expressed in some logic that has an efficient 
decision procedure (see [28] for an overview). In particular, the work presented 
here has strong similarities with the narrowing-based symbolic analysis of rewrite 
theories initiated in [24] and extended in [7]. The main difference is the replacement 
of narrowing by SMT solving and the decidability advantages of SMT for constraint 
solving. 

M. Ayala-Rincon [4] investigates, in the setting of many-sorted equational logic, 
the expressiveness of conditional equational systems whose conditions may use built- 
in predicates. This class of equational theories is important because the combi- 
nation of equational and built-in premises yield a type of clauses which is more 
expressive than purely conditional equations. Rewriting notions like confluence, 
termination, and critical pairs are also investigated. S. Falke and D. Kapur [15] 
studied the problem of termination of rewriting with constrained built-ins. In par- 
ticular, they extended the dependency pairs framework to handle termination of 
equational specifications with semantic data structures and evaluation strategies in 
the Maude functional sublanguage. The same authors used the idea of combining 
rewriting induction and linear arithmetic over constrained terms [16]. Their aim is 
to obtain equational decision procedures that can handle semantic data types rep- 
resented by the constrained built-ins. H. Kirchner and C. Ringeissen proposed the 
notion of constrained rewriting and have used it by combining symbolic constraint 
solvers [19]. The main difference between their work and rewriting modulo SMT 
presented in this paper, is that the former uses narrowing for symbolic execution, 
both at the symbolic ‘pattern matching’ and the constraint solving levels. In con- 
trast, rewriting modulo SMT solves the symbolic pattern matching task by rewriting 
while constraint solving is delegated to an SMT decision procedure. More generally, 
a difference common to [4, 15, 16, 19] is that all of those papers address symbolic 
reasoning for equational theorem proving purposes, but none of them addresses the 
kind of non-deterministic rewrite rules, which are needed for open system modeling. 

This paper has presented rewrite theories modulo built-ins and has shown how 
they can be used for symbolically modeling and analyzing concurrent open systems, 
where non-deterministic values from the environment can be represented by built- 
in terms. Under reasonable assumptions, including decidability of , a rewrite 
theory modulo is executable by term rewriting modulo SMT. This feature makes 
it possible to use, for symbolic analysis, state-of-the-art tools already available for 
Maude, such as its space search commands, with no change whatsoever required 
to use such tools. We have proved that the symbolic rewrite relation is sound and 
complete with respect to its ground counterpart, have presented an overview of 
the prototype that offers support for rewriting modulo SMT in Maude, and have 
presented a case study on the symbolic analysis of the CASH scheduling algorithm 
illustrating the use of these techniques. 

Future work on a mature implementation and on extending the idea of rewriting 
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modulo SMT with other symbolic constraint solving techniques such as narrowing 
modulo should be pursued. Also, the extension to symbolic LTL model check- 
ing, together with state space reduction techniques, should be investigated. The 
ideas presented here extend results in [32] and have been successfully applied to 
the symbolic analysis of NASA’s PLEXIL language to program open cyber-physical 
systems [32], Future applications to PLEXIL and other languages should also be 
pursued. 
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